Corporations and other entities often have bifurcated networks comprised of an “intranet” and an “extranet.” An intranet is generally accessible only by the corporation's employees, associates, and machines having authorization to access the intranet. An extranet is generally considered to be a network portion that is not directly part of the intranet, but that is communicatively coupled with the intranet and an external network, such as the Internet, through a firewall or other security barrier. An outsider, e.g. an entity of the external network, seeking access to an externally facing application or intranet resources may contact an extranet server which would prompt the outsider for security credentials, e.g., a username and password for an authorized account, that would be evaluated to determine the outsider's authorization to access the intranet.
Often, the extranet authentication infrastructure maintains user accounts duplicating valid accounts on the intranet to enable intranet users to use outward facing applications by validating against a duplicate set of security credentials. But, while this may enable use of the extranet application by intranet users, significant password synchronization problems may result. In addition, there may be difficulty in propagating new accounts between intranet and extranet servers. One common solution to these problems is to have the extranet application server pass security credentials which are directly validated against an authentication server for the intranet, e.g., the intranet's login server. This configuration removes the risk that the intranet and extranet servers may be out of sync, and other problems.
Unfortunately, by effectively allowing access to the intranet's authentication server from the extranet, the intranet becomes susceptible to attack, such as a denial of service attack. For example, most authentication servers only allow a certain number of improper authentication attempts, such as three attempts, before an account is blocked. Thus, if the extranet is allowed direct access to the intranet authentication server, an external malicious party can block network access for an employee, such as a high level executive, simply by intentionally performing incorrect extranet-based authentication requests. Lockouts may also occur in the process of performing a brut-force password-cracking attempt.